For publishers, malware attacks are sieges, not single strikes

Increasingly, publishers are being targeted with malvertising — the use of online advertising to spread malware. The problem isn’t always on the publisher’s side: With the popularity of ad networks, it’s easier than ever for hackers to insert malware into a publisher’s inventory via advertising assets. These attacks are increasingly hard to prevent.

January 2015: Advertising.com spreads ransomware

A few days into the new year, Advertising.com was compromised by malware. As a result, the popular ad server (owned by AOL) distributed dangerous malware to a number of high-profile, high-traffic publishers, including HuffPo.

The payload was the very aggressive Kovet ransomware, which prevented users from accessing their mouse and keyboard until a ransom was paid. According to CSO, AOL’s network delivers ads to a staggering 199 million uniques every month in the U.S. alone. (That’s about 90 percent of the entire American Internet audience.) Even if just a tiny percentage of affected users paid the ransom, the hackers earned a sizeable if ill-gotten paycheck.

Though they were called out by reporters covering the breach, the publishers were not really at fault. The malvertising was technically delivered via AOL’s ad servers; most likely, it had passed security screening by masquerading as legitimate code.

Upon activation, the hidden malware redirected users to a number of different websites, with each step disguising both the code’s source and its true purpose. Eventually, the ransomware was unleashed and remained active for two days.

September 2014: Cryptowall takes over DoubleClick

The AOL attack was hardly the first of its kind. Five months earlier, Google’s DoubleClick network fell victim to a similar attack. In this case, the infamous ransomware Cryptowall was distributed by several well-known publishers, including The Times of Israel and The Jerusalem Post.

This attack illustrates the dynamic nature of malware. By presenting itself as harmless code during initial scans, malware can bypass rudimentary security measures. In reality, the damaging code can be activated at a later time. The trigger can be based on any number of variables.

For example, the code may be harmless at 8 a.m. for users in France; then, four hours later, readers with Canadian IP addresses find themselves targeted by a malvertising attack.

In the worst cases, these visitors don’t even know they’re infected. The code may hijack your traffic through domain spoofing; it may run a “traffic fraud” campaign; it may even insert illegitimate ads into your inventory. Even when publishers have their own server protection measures in place, third-party ads can still reach users because they’re coming from external servers.

In the DoubleClick attack, the financial damage cannot be determined because it’s impossible to know how many ransoms were paid. Likewise, brand damage is impossible to enumerate. Publishers must be aware of the risks and take back control.

To get started, download this free malware explainer, presented by GeoEdge in partnership with Digiday Content Studio.